healer | 312f072a813e59c76c94eccab43bdc6736a1f586f06dcaa9b8a5c1b5161298f9

Analysis

max time kernel
146s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-11-2024 23:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

312f072a813e59c76c94eccab43bdc6736a1f586f06dcaa9b8a5c1b5161298f9.exe
Size

842KB
MD5

83a606e6b8b4a6ed5857d3a870ae79eb
SHA1

3baa2d2a3d20031e6c677b8020a9c00b3733e30c
SHA256

312f072a813e59c76c94eccab43bdc6736a1f586f06dcaa9b8a5c1b5161298f9
SHA512

39479c31d1033557821001622942fd73a81df43208a55ad6438371a017752729b649733e5b68f1c75882e770fcbe28cd9b7dd6b9daf07cd1804894e3b36e2bc1
SSDEEP

12288:IMrjy90zMrZLOwJJaTp4eRaLy9bRit1zkXWmLy73aMiwIXSLOdP7FRWT4MqZXSGV:byRdOwISx8VigLMatprtXWkFSe

Score

10^/10

healer redline diza norm discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

norm

77.91.124.145:4125

Attributes

auth_value
1514e6c0ec3d10a36f68f61b206f5759

Extracted

Family

redline

Botnet

diza

77.91.124.145:4125

Attributes

auth_value
bbab0d2f0ae4d4fdd6b17077d93b3e80

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

Processes:

resource	yara_rule
behavioral1/memory/936-19-0x00000000024F0000-0x000000000250A000-memory.dmp	healer
behavioral1/memory/936-21-0x0000000004B80000-0x0000000004B98000-memory.dmp	healer
behavioral1/memory/936-49-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral1/memory/936-45-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral1/memory/936-39-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral1/memory/936-37-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral1/memory/936-35-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral1/memory/936-33-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral1/memory/936-31-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral1/memory/936-29-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral1/memory/936-27-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral1/memory/936-25-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral1/memory/936-23-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral1/memory/936-22-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral1/memory/936-47-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral1/memory/936-43-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral1/memory/936-41-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

pro8251.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro8251.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro8251.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro8251.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro8251.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro8251.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro8251.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1824-2143-0x0000000004F20000-0x0000000004F52000-memory.dmp	family_redline
C:\Windows\Temp\1.exe	family_redline
behavioral1/memory/4416-2156-0x0000000000E50000-0x0000000000E80000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si281365.exe	family_redline
behavioral1/memory/5736-2167-0x00000000000F0000-0x000000000011E000-memory.dmp	family_redline

Redline family
redline
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

qu8172.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation qu8172.exe
Executes dropped EXE 5 IoCs

Processes:

un642124.exepro8251.exequ8172.exe1.exesi281365.exe

pid process

1984 un642124.exe
936 pro8251.exe
1824 qu8172.exe
4416 1.exe
5736 si281365.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	qu8172.exe

pid	process
1984	un642124.exe
936	pro8251.exe
1824	qu8172.exe
4416	1.exe
5736	si281365.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

pro8251.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro8251.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro8251.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

312f072a813e59c76c94eccab43bdc6736a1f586f06dcaa9b8a5c1b5161298f9.exeun642124.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	312f072a813e59c76c94eccab43bdc6736a1f586f06dcaa9b8a5c1b5161298f9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un642124.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3004 936 WerFault.exe pro8251.exe
5484 1824 WerFault.exe qu8172.exe

pid	pid_target	process	target process
3004	936	WerFault.exe	pro8251.exe
5484	1824	WerFault.exe	qu8172.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

312f072a813e59c76c94eccab43bdc6736a1f586f06dcaa9b8a5c1b5161298f9.exeun642124.exepro8251.exequ8172.exe1.exesi281365.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	312f072a813e59c76c94eccab43bdc6736a1f586f06dcaa9b8a5c1b5161298f9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un642124.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pro8251.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qu8172.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	si281365.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

pro8251.exe

pid process

936 pro8251.exe
936 pro8251.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

pro8251.exequ8172.exe

description pid process

Token: SeDebugPrivilege 936 pro8251.exe
Token: SeDebugPrivilege 1824 qu8172.exe

pid	process
936	pro8251.exe
936	pro8251.exe

description	pid	process
Token: SeDebugPrivilege	936	pro8251.exe
Token: SeDebugPrivilege	1824	qu8172.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

312f072a813e59c76c94eccab43bdc6736a1f586f06dcaa9b8a5c1b5161298f9.exeun642124.exequ8172.exe

description	pid	process	target process
PID 2840 wrote to memory of 1984	2840	312f072a813e59c76c94eccab43bdc6736a1f586f06dcaa9b8a5c1b5161298f9.exe	un642124.exe
PID 2840 wrote to memory of 1984	2840	312f072a813e59c76c94eccab43bdc6736a1f586f06dcaa9b8a5c1b5161298f9.exe	un642124.exe
PID 2840 wrote to memory of 1984	2840	312f072a813e59c76c94eccab43bdc6736a1f586f06dcaa9b8a5c1b5161298f9.exe	un642124.exe
PID 1984 wrote to memory of 936	1984	un642124.exe	pro8251.exe
PID 1984 wrote to memory of 936	1984	un642124.exe	pro8251.exe
PID 1984 wrote to memory of 936	1984	un642124.exe	pro8251.exe
PID 1984 wrote to memory of 1824	1984	un642124.exe	qu8172.exe
PID 1984 wrote to memory of 1824	1984	un642124.exe	qu8172.exe
PID 1984 wrote to memory of 1824	1984	un642124.exe	qu8172.exe
PID 1824 wrote to memory of 4416	1824	qu8172.exe	1.exe
PID 1824 wrote to memory of 4416	1824	qu8172.exe	1.exe
PID 1824 wrote to memory of 4416	1824	qu8172.exe	1.exe
PID 2840 wrote to memory of 5736	2840	312f072a813e59c76c94eccab43bdc6736a1f586f06dcaa9b8a5c1b5161298f9.exe	si281365.exe
PID 2840 wrote to memory of 5736	2840	312f072a813e59c76c94eccab43bdc6736a1f586f06dcaa9b8a5c1b5161298f9.exe	si281365.exe
PID 2840 wrote to memory of 5736	2840	312f072a813e59c76c94eccab43bdc6736a1f586f06dcaa9b8a5c1b5161298f9.exe	si281365.exe

C:\Users\Admin\AppData\Local\Temp\312f072a813e59c76c94eccab43bdc6736a1f586f06dcaa9b8a5c1b5161298f9.exe
"C:\Users\Admin\AppData\Local\Temp\312f072a813e59c76c94eccab43bdc6736a1f586f06dcaa9b8a5c1b5161298f9.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2840

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un642124.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un642124.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1984

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8251.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8251.exe
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 936 -s 1080
4⤵
- Program crash
PID:3004

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8172.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8172.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1824

C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1824 -s 1376
4⤵
- Program crash
PID:5484

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si281365.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si281365.exe
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 936 -ip 936
1⤵
PID:2012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1824 -ip 1824
1⤵
PID:4488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si281365.exe

Filesize
169KB

MD5
d75fdbbbe3fe9b31f71e5d39a301abd2

SHA1
d2269ade2c72ac1eb44d03f47be6b00d62358280

SHA256
68f601e087ed118b290b37f5c507af845f0bf3c276333b22080344c539d18156

SHA512
e42ef5c68b8c4217e99a4b5329a516bd3e11de0e286d8a62aa6c41ab1235925476438aa91ed1f7e882b670754f515d901354e7fa0aea44ff09d20cdcebc92607

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un642124.exe

Filesize
688KB

MD5
f17765bb8f7b8c54fa16b9510d7f63e4

SHA1
32b8601adf7f61296aaf4b356c6b7fab645b900b

SHA256
09f09f9bf35a049967680bcb09fe1d7304b26f34aa89714d854b4d8e1a8273a7

SHA512
5f29c668738ecc9c7cb77037772b6357ec70e20dfa3e8952e0ee6ca4ae5899f260285d62b603378c475f10e130211540493165f2fa24b87cbc3895b4079dd1d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8251.exe

Filesize
233KB

MD5
cd1e40ccdfe95844a5866f7b5af25d0f

SHA1
8a4c4a6a63d6adea0bda500505504eb788ab6b63

SHA256
fa6c79fb58327cfa38894bb7a35253976c8df7e4a541aa55776626f8380ba526

SHA512
4fcc7cbbe5574b87ac1858531e093ea9083fbd939234808e020d4afeac457524420b5b8f72b731ca161a1b40276008f1ec48f3ee57cb02ec0acc4426d1b855fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8172.exe

Filesize
495KB

MD5
77bf48e6cfa248e172336254f774db4f

SHA1
1252a7d4898a73ea495b276a1b285db6538240de

SHA256
182731c253f38cc65b8990637ab7301ad73dccc5d261ae30ef5f8455e808fd95

SHA512
25e3075dc71175b7ffde66ae136084db28b149e6eec4c86b08d9985f0c83a3cdf332f5f4eb4fed89f322250c5023721a03eee8b762ce9f726de0f10a110c77e3

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
1073b2e7f778788852d3f7bb79929882

SHA1
7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4

SHA256
c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb

SHA512
90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

Download Submit
memory/936-15-0x00000000004F0000-0x00000000005F0000-memory.dmp

Filesize
1024KB

Download
memory/936-16-0x00000000004C0000-0x00000000004ED000-memory.dmp

Filesize
180KB

Download
memory/936-17-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/936-18-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/936-19-0x00000000024F0000-0x000000000250A000-memory.dmp

Filesize
104KB

Download
memory/936-20-0x0000000004C30000-0x00000000051D4000-memory.dmp

Filesize
5.6MB

Download
memory/936-21-0x0000000004B80000-0x0000000004B98000-memory.dmp

Filesize
96KB

Download
memory/936-49-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/936-45-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/936-39-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/936-37-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/936-35-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/936-33-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/936-31-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/936-29-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/936-27-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/936-25-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/936-23-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/936-22-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/936-47-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/936-43-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/936-41-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/936-50-0x00000000004F0000-0x00000000005F0000-memory.dmp

Filesize
1024KB

Download
memory/936-51-0x00000000004C0000-0x00000000004ED000-memory.dmp

Filesize
180KB

Download
memory/936-52-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/936-55-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/936-56-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1824-61-0x0000000002680000-0x00000000026E6000-memory.dmp

Filesize
408KB

Download
memory/1824-62-0x0000000004E70000-0x0000000004ED6000-memory.dmp

Filesize
408KB

Download
memory/1824-70-0x0000000004E70000-0x0000000004ECF000-memory.dmp

Filesize
380KB

Download
memory/1824-90-0x0000000004E70000-0x0000000004ECF000-memory.dmp

Filesize
380KB

Download
memory/1824-94-0x0000000004E70000-0x0000000004ECF000-memory.dmp

Filesize
380KB

Download
memory/1824-92-0x0000000004E70000-0x0000000004ECF000-memory.dmp

Filesize
380KB

Download
memory/1824-88-0x0000000004E70000-0x0000000004ECF000-memory.dmp

Filesize
380KB

Download
memory/1824-87-0x0000000004E70000-0x0000000004ECF000-memory.dmp

Filesize
380KB

Download
memory/1824-84-0x0000000004E70000-0x0000000004ECF000-memory.dmp

Filesize
380KB

Download
memory/1824-82-0x0000000004E70000-0x0000000004ECF000-memory.dmp

Filesize
380KB

Download
memory/1824-80-0x0000000004E70000-0x0000000004ECF000-memory.dmp

Filesize
380KB

Download
memory/1824-78-0x0000000004E70000-0x0000000004ECF000-memory.dmp

Filesize
380KB

Download
memory/1824-76-0x0000000004E70000-0x0000000004ECF000-memory.dmp

Filesize
380KB

Download
memory/1824-74-0x0000000004E70000-0x0000000004ECF000-memory.dmp

Filesize
380KB

Download
memory/1824-72-0x0000000004E70000-0x0000000004ECF000-memory.dmp

Filesize
380KB

Download
memory/1824-68-0x0000000004E70000-0x0000000004ECF000-memory.dmp

Filesize
380KB

Download
memory/1824-66-0x0000000004E70000-0x0000000004ECF000-memory.dmp

Filesize
380KB

Download
memory/1824-96-0x0000000004E70000-0x0000000004ECF000-memory.dmp

Filesize
380KB

Download
memory/1824-64-0x0000000004E70000-0x0000000004ECF000-memory.dmp

Filesize
380KB

Download
memory/1824-63-0x0000000004E70000-0x0000000004ECF000-memory.dmp

Filesize
380KB

Download
memory/1824-2143-0x0000000004F20000-0x0000000004F52000-memory.dmp

Filesize
200KB

Download
memory/4416-2156-0x0000000000E50000-0x0000000000E80000-memory.dmp

Filesize
192KB

Download
memory/4416-2157-0x0000000003070000-0x0000000003076000-memory.dmp

Filesize
24KB

Download
memory/4416-2158-0x0000000005ED0000-0x00000000064E8000-memory.dmp

Filesize
6.1MB

Download
memory/4416-2159-0x00000000059C0000-0x0000000005ACA000-memory.dmp

Filesize
1.0MB

Download
memory/4416-2160-0x00000000057C0000-0x00000000057D2000-memory.dmp

Filesize
72KB

Download
memory/4416-2161-0x0000000005820000-0x000000000585C000-memory.dmp

Filesize
240KB

Download
memory/4416-2166-0x00000000058B0000-0x00000000058FC000-memory.dmp

Filesize
304KB

Download
memory/5736-2167-0x00000000000F0000-0x000000000011E000-memory.dmp

Filesize
184KB

Download
memory/5736-2168-0x0000000002300000-0x0000000002306000-memory.dmp

Filesize
24KB

Download